IN THE CLAIMS : 
Rewrite the pending claims and add new claims as follows: 

1 . (Original) A method of grouping network events, comprising: 

receiving a stream of network events, each network event including a set of event 
parameters in association with a network session that corresponds to a message being 
transmitted through a network; 

for a network event in the stream, making an initial session determination by 
determining whether the event belongs to a same network session as any previously received 
event; 

for the network event, identifying information of network address translations 
performed by one or more devices along a network transmission path associated with the 
network event; 

categorizing the network event in accordance with at least one of the session 
determination and the network address translation information; and 
at a predefined time, 

processing a categorized network event to identify another categorized 
network event, if any, belonging to a same network session as the categorized network event; 

grouping the categorized network event and the identified other categorized 
network event, if any, into a set; and 

assigning a unique identifier to the set of events that includes the categorized 

network event. 

2. (Original) The method of claim 1, wherein the set of event parameters include source 
address, source port, destination address, destination, port, and network protocol. 

3. (Original) The method of claim 1, wherein said network session is a communication 
channel established between a source host and a destination host over a network. 

4. (Original) The method of claim 1, wherein the initial session determination includes 
comparing the event parameters of a newly received network event with the event parameters 
of any previously received network event, and if there is a match, the newly received event 
belongs to a same network session as those previously received matching events. 
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5. (Original) The method of claim 1, wherein each of said one or more devices is 
associated with at least one network address translation rule, each rule comprising a pre- 
mapping parameter domain and a post-mapping parameter domain for one or more event 
parameters. 

6. (Currently Amended) The method of claim 5, wherein the pre-mapping and/or post- 
mapping parameter domains of two network address translation rules may overlap each other. 

7. (Currently Amended) The method of claim [[1]] 5, wherein said identifying includes 
identifying a first network address translation rule associated with a first device, if 

any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 

identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

8. (Original) The method of claim 1, wherein said categorizing includes 
associating the network event with any previously received event in accordance with 

the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 

9. (Original) The method of claim 1, wherein the predefined time is associated with a 
network event. 

10. (Original) The method of claim 1, wherein the categorized network event and the 
identified other categorized network event belong to different categories during said 
categorizing. 
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11. (Original) The method of claim 1, wherein said processing is performed in 
accordance with the identified network address translation information for the network 
transmission path associated with the network event. 

12. (Original) The method of claim 1, wherein said processing is performed in 
accordance with network address translation information received after arrival of the 
categorized network event. 

13. (Currently Amended) A network event grouping system, comprising: 
one or more central processing units for executing programs; 

an interface for receiving network events; and 

a network event correlation engine module executable by the one or more central 
processing units, the module comprising: 

a plurality of data structures for storing a stream of network events, each 
network event including a set of event parameters in association with a network session that 
corresponds to a message being transmitted through a network; 

instructions for establishing a correlation when a network event in the stream 
b e long belongs to a same network session as another network event in the stream; 

instructions for identifying information of network address translations 
performed by one or more devices along a network transmission path associated with a 
network event; 

instructions for categorizing a network event in the stream in accordance with 
the event's network session relationship and/or the event's network address translation 
information; and 

instructions for invoking a categorized network event at a predefined time, 
wherein invoking comprises processing the categorized network event to identify another 
categorized network event, if any, belonging to a same network session as the categorized 
network event, grouping the categorized network event and the identified other categorized 
network event, if any, into a set, and assigning a unique identifier to the set of events that 
includes the categorized network event. 

14. (Original) The system of claim 13, wherein the set of event parameters include 
source address, source port, destination address, destination, port, and network protocol. 
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15. (Original) The system of claim 13, wherein said network session is a communication 
channel established between a source host and a destination host over a network. 

16. (Original) The system of claim 13, wherein the instructions for establishing a 
correlation include comparing the event parameters of a newly received network event with 
the event parameters of any previously received network event, and if there is a match, the 
newly received event belongs to a same network session as those previously received 
matching events. 

17. (Original) The system of claim 13, wherein each of said one or more devices is 
associated with at least one network address translation rule, each rule comprising a pre- 
mapping parameter domain and a post-mapping parameter domain for one or more event 
parameters. 

18. (Currently Amended) The system of claim 17, wherein the pre-mapping and/or post- 
mapping parameter domains of two network address translation rules may overlap each other. 

i 

19. (Currently Amended) The system of claim [[13]] 17, wherein said identifying 
instructions include 

identifying a first network address translation rule associated with a first device, if 
any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 

identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

20. (Original) The system of claim 13, wherein said categorizing instructions include 
associating the network event with any previously received event in accordance with 

the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 
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21. (Original) The system of claim 13, wherein the predefined time is associated with a 
network event. 

22. (Original) The system of claim 13, wherein the categorized network event and the 
identified other categorized network event belong to different categories during said 
categorizing. 

23. (Original) The system of claim 13, wherein said processing is performed in 
accordance with the identified network address translation information for the network 
transmission path associated with the network event. 

24. (Original) The system of claim 13, wherein said processing is performed in 
accordance with network address translation information received after arrival of the 
categorized network event. 

25. (Currently Amended) A computer program product for use in conjunction with a 
computer system, the computer program product comprising a computer readable storage 
medium and a computer program mechanism embedded therein, the computer program 
mechanism comprising: 

instructions for receiving and storing a stream of network events, each network event 
including a set of event parameters in association with a network session that corresponds to 
a message being transmitted through a network; 

instructions for establishing a correlation when a network event in the stream belong 
belongs to a same network session as another network event in the stream; 

instructions for identifying information of network address translations performed by 
one or more devices along a network transmission path associated with a network event; 

instructions for categorizing a network event in the stream in accordance with the 
event's network session r e lationship and/or the event's network address translation 
information; and 

instructions for invoking a categorized network event at a predefined time, wherein 
invoking comprises processing the categorized network event to identify another categorized 
network event, if any, belonging to a same network session as the categorized network event, 
grouping the categorized network event and the identified other categorized network event, if 
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any, into a set, and assigning a unique identifier to the set of events that includes the 
categorized network event. 

26. (Original) The computer program product of claim 25, wherein the set of event 
parameters include source address, source port, destination address, destination, port, and 
network protocol. 

27. (Original) The computer program product of claim 25, wherein said network session 
is a communication channel established between a source host and a destination host over a 
network. 

28. (Original) The computer program product of claim 25, wherein the instructions for 
establishing a correlation include comparing the event parameters of a newly received 
network event with the event parameters of any previously received network event, and if 
there is a match, the newly received event belongs to a same network session as those 
previously received matching events. 

29. (Original) The computer program product of claim 25, wherein each of said one or 
more devices is associated with at least one network address translation rule, each rule 
comprising a pre-mapping parameter domain and a post-mapping parameter domain for one 
or more event parameters. 

30. (Currently Amended) The computer program product of claim 29, wherein the pre- 
mapping and/or post-mapping parameter domains of two network address translation rules 
may overlap each other. 

31. (Currently Amended) The computer program product of claim [[25]] 29, wherein 
said identifying instructions include 

identifying a first network address translation rule associated with a first device, if 
any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 
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identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

32. (Original) The computer program product of claim 25, wherein said categorizing 
instructions include 

associating the network event with any previously received event in accordance with 
the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 

33. (Original) The computer program product of claim 25, wherein the predefined time is 
associated with a network event. 

34. (Original) The computer program product of claim 25, wherein the categorized 
network event and the identified other categorized network event belong to different 
categories during said categorizing. 

35. (Original) The computer program product of claim 25, wherein said processing is 
performed in accordance with the identified network address translation information for the 
network transmission path associated with the network event. 

36. (Original) The computer program product of claim 25, wherein said processing is 
performed in accordance with network address translation information received after arrival 
of the categorized network event. 
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